L7 Visibility support in Antrea

Signed-off-by: Tushar Tathgur <tathgurt@tathgurtFLVDL.vmware.com>

build/charts/antrea/README.md

@@ -78,7 +78,7 @@ Kubernetes: `>= 1.16.0-0`
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowExporter.enable | bool | `false` | Enable the flow exporter feature. |
+| flowExporter.enable | bool | `true` | Enable the flow exporter feature. |
 | flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
 | flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |

build/charts/antrea/conf/antrea-agent.conf

@@ -80,6 +80,9 @@ featureGates:
 # Allow users to specify the load balancer mode as DSR (Direct Server Return).
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "LoadBalancerModeDSR" "default" false) }}
 
+# Enable L7Visibility on Pods and Namespace.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7Visibility" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -173,7 +173,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -219,3 +218,15 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete

build/charts/antrea/values.yaml

@@ -322,7 +322,7 @@ controller:
 
 flowExporter:
   # -- Enable the flow exporter feature.
-  enable: false
+  enable: true
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to
   # <Service namespace>/<Service name>.

build/yamls/antrea-aks.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6161,7 +6164,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6207,6 +6209,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6818,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: decff49e8a2dd2019acbb0b49a88c1deb81b53fc64e4b6ca2741babac00ae97a
       labels:
         app: antrea
         component: antrea-agent
@@ -7059,7 +7073,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: decff49e8a2dd2019acbb0b49a88c1deb81b53fc64e4b6ca2741babac00ae97a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6161,7 +6164,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6207,6 +6209,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6818,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: decff49e8a2dd2019acbb0b49a88c1deb81b53fc64e4b6ca2741babac00ae97a
       labels:
         app: antrea
         component: antrea-agent
@@ -7060,7 +7074,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: decff49e8a2dd2019acbb0b49a88c1deb81b53fc64e4b6ca2741babac00ae97a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6161,7 +6164,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6207,6 +6209,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6818,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 977cc5c6179f9ac01800457f4549f2783876dd94f2eaf165085808b742019cc1
+        checksum/config: dd8501e04951f3bbe5249f53fc82d04235f5fb9f7e29bff008acf01324544e13
       labels:
         app: antrea
         component: antrea-agent
@@ -7057,7 +7071,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 977cc5c6179f9ac01800457f4549f2783876dd94f2eaf165085808b742019cc1
+        checksum/config: dd8501e04951f3bbe5249f53fc82d04235f5fb9f7e29bff008acf01324544e13
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -5548,6 +5548,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5667,7 +5670,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6174,7 +6177,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6220,6 +6222,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6831,7 +6845,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 754b9e45b24d9a03a6be907d1dda1966a84598841e871bfa624932e11aeb739f
+        checksum/config: df60dfa3e1201bc80193f39d5f38b03f4713be2bbc2b2334381c8aa47d8f1e9a
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7116,7 +7130,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 754b9e45b24d9a03a6be907d1dda1966a84598841e871bfa624932e11aeb739f
+        checksum/config: df60dfa3e1201bc80193f39d5f38b03f4713be2bbc2b2334381c8aa47d8f1e9a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -5535,6 +5535,9 @@ data:
     # Allow users to specify the load balancer mode as DSR (Direct Server Return).
     #  LoadBalancerModeDSR: false
 
+    # Enable L7Visibility on Pods and Namespace.
+    #  L7Visibility: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -5654,7 +5657,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -6161,7 +6164,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -6207,6 +6209,18 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -6818,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7218db7d40a2ba0043ebc518f71ed1e5c38a715360a732492ae762964e11c884
+        checksum/config: c4f58fbb3065448295fab081c6bb9fa5e69536333ee9e32464ffaee9a84148ed
       labels:
         app: antrea
         component: antrea-agent
@@ -7057,7 +7071,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7218db7d40a2ba0043ebc518f71ed1e5c38a715360a732492ae762964e11c884
+        checksum/config: c4f58fbb3065448295fab081c6bb9fa5e69536333ee9e32464ffaee9a84148ed
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -39,6 +39,7 @@ import (
 	"antrea.io/antrea/pkg/agent/controller/egress"
 	"antrea.io/antrea/pkg/agent/controller/ipseccertificate"
 	"antrea.io/antrea/pkg/agent/controller/networkpolicy"
+	"antrea.io/antrea/pkg/agent/controller/networkpolicy/l7engine"
 	"antrea.io/antrea/pkg/agent/controller/noderoute"
 	"antrea.io/antrea/pkg/agent/controller/serviceexternalip"
 	"antrea.io/antrea/pkg/agent/controller/traceflow"
@@ -710,6 +711,7 @@ func run(o *Options) error {
 
 	if features.DefaultFeatureGate.Enabled(features.TrafficControl) {
 		tcController := trafficcontrol.NewTrafficControlController(ofClient,
+			crdClient,
 			ifaceStore,
 			ovsBridgeClient,
 			ovsCtlClient,
@@ -718,6 +720,9 @@ func run(o *Options) error {
 			namespaceInformer,
 			podUpdateChannel)
 		go tcController.Run(stopCh)
+		if features.DefaultFeatureGate.Enabled(features.L7Visibility) {
+			go l7engine.Run(tcController)
+		}
 	}
 
 	//  Start the localPodInformer